Mega Patch Day, Password Hijack, and WireLurker
What new security updates do I need? Are attackers exploiting new zero day attacks that affect me? Should I be concerned with any new attack campaigns? What can I learn from the latest network breaches? If you’ve asked yourself these questions, but don’t have time to find the answers, this is the weekly video for you. In it, I summarize the biggest security news from the week and explore what we might learn from it.
Today’s episode talks about the upcoming humongous Microsoft Patch day, explores a password hijack that succeeded despite good security practices, and covers two major threats that affect Apple’s OS X and iOS devices. Watch the video for details, and check out the links below for other interesting stories.
Have a safe and fun weekend!
(Episode Runtime: 11:20)
Direct YouTube Link: https://www.youtube.com/watch?v=PXJ1t23K5hY
Episode References:
- Expect a crazy big Microsoft Patch Tuesday next week – Microsoft
- Very interesting password hack, despite good password practices – @gb on Ello
- Rootpipe: Local elevation of privilege flaw in OS X Yosemite – Macworld
- Video of Rootpipe in action – YouTube
- WireLurker – New malware infects iOS devices via OS X – Seattle Times
- Full research whitepaper on WireLurker [PDF] – Palo Alto
- Apple updates mitigate WireLurker – ZDNet
- UPDATE: WireLurker now affects Windows machines – CNR Onlinb
Extras:
- Flaw found in “chip-n-pin” credit cards that allows million dollar fraudulent transactions – Wired
- Alleged Silk Road 2.0 administrator arrested; site downed – Krebs on Security
- Actually, multiple “Darkweb” market sites seized – DeepDotWeb
- Five most Common FaceBook scam bait topics – Security Affairs
- How can Verizon customers defeat their ISP’s super tracking cookie? VPN. – The Register
- Detailed writeup on a buffer overflow found in a consumer Belkin router – Integrity Labs
- Smuggler: Using 802.11 wireless traffic as a covert communication backchannel – Spider Labs
- New phishing attack in Japan is even more advanced and stealthy – Softpedia
- Chinese attacker allegedly attacking fracking firms for IP – Slashdot
- More than half of home routers use the manufacturer’s default password – BetaNews
- I’ve said it before, but MD5 is very dead (crypto weakness) – Ars Technica
- Hilton Honor rewards points stolen via four pin brute force attack – The Register
- Banks collaborate to launch cyber attack intelligence sharing (Soltra Edge) – Reuters
- More watering hole attacks; popular music site redirects to exploit kit – Symantec
- Web site links to all the insecure, default password IP webcams – Network World
- Google paper on manual account hacking/hijacking [PDF] – Google
- 158 malware variants born a minute (likely not new but recrypted variants) – The Register
- Information Commissioner’s Office (ICO) suffered a SQL injection (SQLi) breach – v3.co.uk
- A DHS “background check” contracter suffered a breach (chain-of-trust attack) – The Register
- Backoff PoS malware continues to evolve – SC Magazine
- Australian spear phishing campaign baits with fake speed trap fines – Naked Security
- Also, E-Z Pass spear phishing campaigns target US drivers – Network World
- Researchers say Apple’s iWorm fix is insufficient – Network World
- Home Depot breach due to a chain-of-trust attack – Network World
- China building “secure” private networks – Telegraph
- US government wants more “hacking” powers – TechDirt
- Speaking of social engineering, this is a good example – YouTube
— Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply